PCI Security Risk Assessment
Phillip Crum: Well, let’s get started.
Kathleen Mills: Yeah, lets.
PC: It’s time once again to jump into the pool and see what’s down at the bottom. How are you doing, Kathleen?
KM: I’m good. How are you doing?
PC: I’m pretty darn good, I am. It’s hot outside and I’m inside so it doesn’t get any better than that.
KM: Well, unless the air conditioner’s not cranked where it needs to be. Hint hint.
PC: You know what I know?
PC: Tod Ferran’s in the house once again.
KM: One more time.
PC: The Tod Ferran.
Tod Ferran: Hey, guys!
KM: Hey, Tod. How are you doing, sir?
TF: I am just hunky dory. How are you guys?
KM: I’m good now that I’m talking to the super dark knight of them all who keeps us safe from all the evilness and all that kind of stuff. Like, I think that’s pretty cool. I was posting on my Facebook post that Tod Ferran makes Batman look like a sissy, and Superman not so super. So there you go, Tod. You’re way up in the food chain.
TF: (Laughs) Oh my goodness.
KM: Yeah, you are.
TF: Yeah, it’s a high mark to hit.
KM: It is a high mark to hit. And I want to introduce Tod Ferran with Halock Security Labs. Am I saying that correctly? I hope. And Tod, tell us–
TF: It’s actually Tod Ferr-an. [Clarifies proper pronunciation of his last name.]
KM: Ferr-an. Oh man, I need to do this again.
TF: Kind of like Duran Duran.
KM: Tod Ferr-an at Halock Security Labs.
PC: You mean we’ve been calling you the wrong name for two years now?
TF: I realized that I need to really tell people what the right pronunciation is. And since I use the Duran Duran now at the office whenever they talk about me they always say Tod Ferran Ferran.
KM: (laughs) That’s a good way to remember it. Well, Tod– tell us a little bit about you before we get started, and then I’m going to give you a statement and I’m just going to let you run with it today. We’re going to be talking about PCI compliance. But tell us a little bit about you and what you like to do.
TF: Well, I’ve been in IT for close to 30 years in various different capacities. The last five years or so, I’ve been doing IT security for health care professionals and for anybody handling credit cards. Then I [inaudible 2:28], like risk assessments with banks and things like that. So, anything regarding IT security, I have my fingers into a little bit and doing assessments. I live in Utah just outside of Salt Lake City, and I have a boat that we enjoy very much and a timeshare in Cancun that we enjoy very much. Six kids and four grandkids, and another one on the way.
PC: And in his spare time he corrects people’s grammar and pronunciation.
KM: And then he’s going to come to my office and do the security.
PC: What spare time?
KM: Yeah, what spare time?
PC: You’ve been traveling a lot lately, have you?
TF: Yeah, I have been. The last couple weeks I was all over the US. Went out to corporate offices in California for a week, and then visited a bunch of their retail locations in Orlando and Boston and San Antonio and Atlanta and Louisville, Kentucky.
PC: Well, you should have them straightened out by now, shouldn’t you?
TF: Keeps me busy, yeah.
PC: Alright. So I’ve had two or three people stop me in the hallway today and say, “Phillip, what is PCI compliance?” And I said, “I don’t know.”
TF: Well, that’s a great question. So PCI stands for Payment Card Industry and basically if you take credit cards, when you sign that little agreement saying, “I’m going to take credit cards,” with your processor, you basically agree that you’re going to be what’s called PCI compliant. The PCI Data Security Standards, or PCIDSS, is about 350 different requirements that we’re expected to be in compliance with.
PC: Tod– let me interrupt there. There’s a listener out there right now who’s about to tune out because she’s thinking, “Well, this doesn’t apply to me. I’ve got three credit cards and big brother’s going to take care of me and it’s too complicated so somebody in the government’s going to have to help me with that and take care of it for me and I can go do something else.” So is that true or false?
TF: That’s not true. This is one of the few regulations, or standards, that is enforced from the private industry. So if you’re not PCI compliant and you lose some credit cards, you can get fined and they will take– VISA and MasterCard– they will fine you dollar amounts. I’ve seen fines upwards of $50,000 to $100,000. Some of the fines coming on are on a monthly basis – $3,000 to $5,000 a month for somebody that’s not compliant is pretty common. But even if you only take one credit card a year– as soon as you take that one credit card, PCI compliance applies to you. Now, we talk about this 350 some odd requirements, but really for small vendors or small health practitioners, we don’t have to worry about that big set because we’re in a much smaller environment that we can more easily control. But we do have to take some action on our part. It’s not something we can shuffle off to someone else and say, “Oh, it’s somebody else’s problem.” So it’s things that we need to be aware of and we can certainly talk about that. Did you have another question you wanted me to launch into– how it impacts a small health practitioner or small business owner?
KM: Right. Well, my question is that the Square device that I use said that they’re going to take all that responsibility so I’m good, right?
TF: You know, the Square device actually does do that. And that’s one of the nice things about the Square as far as being a small merchant is concerned, because Square has set it up. We have so many thousands of small retailers across the US and what we’re doing is from Square’s standpoint is we’re going to protect that credit card information as soon as you swipe it into our little device. And even though it’s going to go through your phone or your iPad or whatever to get back to Square, they’re taking on the responsibility of that chain from the Square device to them. So that portion of PCI is something you don’t have to worry about if you’re with Square now. If you’re with one of the other knock-offs, you have to check the fine print of their contract. Some of them are doing that; some of them aren’t. So if you think that they’re covering you, you need to make sure. It’s not something you really want to gamble with. But we still have everything handling the credit card prior to the time that you swipe it on the Square reader. We talked about some of these things when we talked about HIPAA compliance. We need to realize where we have information. If patients are emailing us credit card numbers, or they’re faxing credit card numbers to us now that those devices are in scope, we have to be worried about our fax machine. We have to be worried about someone calling and leaving a voice recording because now that recording has credit card information in it. And if we get an email now, our email system has credit card information in it. So each of those has different types of channels or points that we have to handle in a PCI compliant manner. And there’s ways to do that that are not totally going to break your bank, but that you can do it, too. Just be aware. A lot of the newer fax and copy machines actually have a configuration that you can set that says I want you to securely delete things, and then it will do that. Then it keeps that hard drive cleaned up so you don’t have either credit card information or health HIPAA information – electronic protected health information stored on these devices as well. Voice mail is a little bit different kind of an animal and there’s so many different types of voice mail out there, I couldn’t even begin to jump into those too deeply because there’s just too many different ones.
KM: You make a great point, because I’ve got to control the stuff before it swipes through the Square. Where is this credit card information coming from? Which is a great point because I had a counselor freak out. Their lease was up on their copy machines and fax machines, and they turned it in and they forgot to get the chip out of the computer, or out of the copier before they sent it back to the leasing agent. And she was a mess. And they finally got it back, but your point is that it’s living in some devices before it goes through your terminal.
KM: Could you talk a little bit more about that? Because I think that’s where I get stuck is I’ve got to figure out where the credit card information is coming from, how I’m storing it, where it is and is it on a post-it note or is it an email?
PC: How do I find out where that stuff lives, and if I don’t know where it lives, who do I talk to?
TF: Well, you’re the one that’s– as the business owner or the health care practitioner– it’s your responsibility to figure out where that’s happening. And we talk about with PCI some of the requirements is we have a network diagram, and that we have a card data flow diagram. Now, we certainly don’t need to do that when we’ve got a small office– one computer, maybe two computers and a phone system. A network diagram, quite frankly, is overkill. But the thought is that we still should be using just even a piece of paper and making a diagram of where credit card information comes in. And what we might do– and this is what I would recommend for especially small individual or entity (not that the individual themselves or small that this organization is small. There’s only a handful of people involved) is put a notebook there by the iPad or whatever your Square device is. And every time you swipe a credit card, flip that open and take a look at your diagram. See where the card – before I swiped it – how did this card get to the swipe device? And create a little diagram. This card came through handed to me over the counter. Or they called in. So you just create these little simple flows that say came to the phone system and a little arrow going to the Square device. You might have an email and just show your computer system with a little arrow going to the Square device. So very simplistic, but that’s the way that you can figure out what are all the devices it’s going though. Because there are tools out there that will go out there and find the credit card information on the devices, but they’re expensive and they don’t work well for a lot of the different varieties that I see in small health care offices. We have different types of phone systems. We have different types of copies and scanners and faxes. Workstations are pretty straightforward, and so the tools would be able to dig through that. But we could do a little bit of leg work and just track where these cards are coming through, and just write them down so we have an idea of what devices it’s touching before it gets to Square. Like I said, if we’re using some other process, maybe we have a little terminal swipe machine there like you see at McDonald’s or a fast food place where we’re having customers swipe that card on or we’re entering the card numbers into. That could be– again, we need to find out from our provider who’s handling the PCI requirements between that device and the processor, or the bank that’s doing the credit card transactions.
PC: I just want to go back to the days, Tod, where there was only three television stations on my TV. Or is there a number I can call? 1-800-Ferran-Ferran. Is there a number? No number, eh? Alright.
TF: You ready for a phone number?
PC: NO, I was kidding. But if you’ve got one, let’s hear it.
TF: Okay, that’s what I thought.
KM: Well, this can be– I like what you’re saying with the diagram because I never thought of it that way. It’s like where is it coming from, how am I getting that card number? So if I’m a small business and I’m selling products online through my website, I have to be kind of mindful of that little map of how I’m getting their credit card information if I’m selling stuff online. Correct?
TF: Oh, absolutely. What are we doing for our e-commerce side? Are we using somebody like GoDaddy that has a whole shopping cart experience and they’re handling it for me? And they should have some sort of information there that says they’re handling the PCI requirement for us. And most of those companies do, but if we were saving some money and we have cousin Andy doing it for us on a server over at his house, we could have some real liability there because we don’t really know exactly what’s going on from that e-commerce standpoint. We don’t know what cousin Andy is doing with those credit card numbers– if they’re being stored on that server, if they’re being transmitted in a secure manner over to the processor. We just don’t really typically know any of that information. So those would be the things that we want to be aware of. Now we’re using– maybe it’s something in between: It’s not cousin Andy and it’s not one of the big boys like GoDaddy or IBM. It may be a local IT company. Well, that’s a good question we would want to pose to them: “You’re handling my e-commerce site for me. I know I need to be PCI compliant. Help me understand what you’re doing on our website and if I need to be concerned about PCI compliance.” And they should come back with something that showed that yes they’re doing it in a PCI compliant manner. Usually what we look for what’s called, “Anticipation of compliance.” It’s just a couple pages long that says, “Here’s the company. There’s been an assessment done and they validated that yes they are PCI compliant.” And that attest they show compliance is good for 12 months, so that would give us assurance that we need to know our vendor is really handling this credit card in a compliant manner.
KM: So our vendor who’s done the attestation compliance portion, they could show us that they’ve done that compliance through that- just verified that they’ve passed for 12 months? I mean, is that something that we need to ask for up front?
TF: Yeah, we really should ask for it up front before we start a relationship with a vendor that’s going to be handling credit cards for us. One of the things that would probably be very helpful for all the listeners out there would be to go to the PCI security council website and just take a look. They have some frequently asked questions. They have what are called self-assessment questionnaires, which are very good about breaking down the different types of requirements that apply to us. So for instance, they have an exacting self-assessment questionnaire.
KM: And that’s a free download I can get, right?
TF: Yes, that’s a free download. In fact, you probably would like to have that URL. It’s www.pcisecuritystandards.org and you just go to there and go to Document Library and they have a whole bunch of information. They have a suite of documents for what’s called a small merchant, which is what most of our health care practitioners would fall under – small business or small merchant. And that information can help you understand what your requirement are and what you should be doing as far as vendor scope. It helps a lot as you educate yourself, then you start to know where to look for areas of risk to your business. Once you get those flows ironed out, you understand what equipment it’s going through, then that will help you know which of the different self-assessment questionnaires apply to you. And then you have the instructions there and they do a really good job of trying to help people through that. So that would be a resource.
KM: That’s really– so it’s www.pcisecuritystandards.org suite of downloads. Free downloads to get your kind of assessment of where everything needs to be, how you need to be handling your credit card transactions. That’s an awesome deal.
So I do this free download and I’m probably going to be needing to call somebody to help me kind of put things together. Do you guys do that?
TF: We do. We don’t do very much with small entities, but if it was a quick question I would be happy to answer that. Generally I do full-blown off-site assessments and I work with a lot of larger companies. But yeah if somebody’s just got a quick question, they can reach out to me and I would be happy to answer short questions for them.
PC: Do you have a number for cousin Eddie?
KM: (Laughs) I don’t think cousin Eddie needs his number to be giving out.
PC: I think he’s the same guy Hillary was into. We don’t even want to touch that.
TF: That’s a good point, you know. You look at Hillary – you know that she spent some money to have her own email server and they still did it incorrectly. They didn’t do it right. So that’s why it’s so important that you have somebody that understands PCI and not just says, “Oh we’re protecting things,” and take their word for it.
KM: So that leads me to the next question, Tod. How do I know my PCI compliant company that I’m choosing to do business with is reputable? What are the– can you give me a blueprint of like what it needs to look like, or how do I know that they’re-?
PC: Competent. How do I know these guys know what they’re doing?
TF: The AOC – Attestation of Compliance – is really kind of the golden ticket. If they have that, then you’re in good shape. You just have to make sure that it covers whatever services or products that they’re providing to you. And to find vendors you can go on to the VISA service provider list, and I can give you the URL for that: it’s www.visa.com. You can go to that website and it will show you vendors that are PCI compliant that are registered with VISA. And so you’ll have a lot of customers, especially bigger ones, that say we’re only going to deal with somebody if you’re on the VISA service provider list because that removes a lot of risk from them because now that they can be confident that if there is an issue with that service provider, that that service provider is liable and has already taken steps to reduce that risk there as much as they reasonably can. Now for small health practitioners, and a lot of times we may have a company we’re using to work on our computers when we need it, sometimes we don’t have a good option there with the AOC. So then we have to do some due diligence with them and include them in our self-assessment questionnaire. So as we figure out what our flows are – let’s say that our computer is one of our flows – so our credit cards are going through our computers through an e-commerce site that this company is hosting for us, then we would sit down with them with the appropriate FAQ and say, “I need you to help me fill this out because you’re handling credit cards on my behalf. You don’t have an attestation of compliance so I have to include you as I do my own questionnaire.” And that would be one way to work with somebody who’s not on a PCI validation list, or they’re not on a VISA list. If they haven’t been through the process, you take them through the process with you as you’re doing it for yourself.
KM: Let me give you one more scenario. I’m a counselor. I have a website– online website. I do tele-mental health distance counseling online through a secure portal, let’s say. And all of my credit card transactions are through PayPal. Is that… walk me through that PCI…
PC: Assess that situation.
KM: Yeah, assess that situation. What does that particular therapist need to kind of figure out in that scenario?
TF: Okay. That’s a great case study. So, we’ve got an e-commerce site that when they’re ready to purchase something, it redirects them or uses a third party payment application such as PayPal. So then we just want to make sure with our IT company that – and I hate to get to technical – but that we’re doing something called a frame or a redirect. What that means basically is that when the customer is actually entering in their credit card information, they’re not really – even though it might look like it – they’re really not entering it into my website. They’re entering it into PayPal or whoever that processor it. So then that processor would then be handling all that for us. So for instance, if you use PayPal specifically, and so they have to go to PayPal to make the payment, then PayPal is dealing with the PCI compliance so you don’t have to worry about that channel. You just have to be aware that that channel exists and just document that yes I have an e-commerce site and we’re using PayPal and we’re redirecting it to the PayPal site for them to make the payment. Then we just get a notification back on our website that yes payment went through successfully, and either daily or weekly or monthly we get money kicked back to us from PayPal that they collected on our behalf. So that works really well. Now there are some instances where if it’s not PayPal and it’s somebody else, but it’s often something similar but our website designer has incorporated that code into our web server, so now they really are entering credit card information onto our web server. Now our web server is in scope and so is our webmaster so we have to be aware that that’s happened.
PC: Tod, we’ve got about two and a half minutes left to go. So we’re going to have to wrap. If I’ve heard you correctly, there’s a process here we’ve gone over. So just real fast – give me the first three steps I need to take if I’ve not addressed any of this before. What do I do first, then what do I do next? And the third one.
TF: So the very first thing you want to do in the next couple weeks, track where your credit card flows are. Where they come in, where they go out, how are they handled, and then make a list of all the equipment that the credit cards are passing through. Then the next step is going to be to reach out to any of the vendors that are involved in the credit card flows and find out about their PCI compliance. Once we’re on with that information, then we can go to the PCI Security Standards website and take a look at the different self-assessment questionnaires and figure out which one, or maybe two, are the right ones for us to complete for ourselves. And that would then help us to get things launched and started. Oftentimes our bank or processor, if we just reach out to them and say, “Hey, I’m completing my SAQ. Do you happen to have any resources that can help?” A lot of times they will have resources that can help you with understanding or working through that self-assessment questionnaire.
PC: Tod Ferran of Helock Security Labs. Where can we find you? Where can we find a little bit more about you? Information? Where where where?
TF: www.halock.com is the organization I work for. We do all sorts of things from implementing fire walls and intrusion detection systems to doing governance and risk assessments and PCI compliant, HIPAA compliance, all of those kinds of things.
PC: Alright. Good.
TF: And you can reach me. My email address is [email protected].
PC: Very good, sir. And I’m Phillip Crum, www.ContentMarketingCoach.us, and right over there is
PC: Tod, if you’ll hang around when we’re done here, I’ve got a few questions for you. And we’ll do it again. Appreciate it very much.
KM: Tod, thank you so much. This has been very helpful.
PC: Thanks for listening everybody.
TF: Thanks, guys. It’s always a pleasure chatting with you.
PC: See you later, Tod. Thank you now.
TF: Take care.